It should be free. Easily integrable with asp.net mvc. Extremely light-weight. It must sanitize the input.
for example, say if the user enters
hhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh
It must not break the formatting of the page!
if the user enters some nasty html or maybe any html at all or any javascript code, it should reject that.
It would be awesome if it did some sort of cuss-word checking too, but that is not a requirement.
It can be jquery based.
Before you feel tempted to mark this question as duplicate, do check whether other questions are very old or something like that.
There are lots of RTEs that can be easily integrated into an asp.net page.There are many that are jquery based. See here I use server side code to sanitize. There are a number of classes that can be used to sanitize html. Run the user entered text thru the sanitizer to strip the markup.I am using http://roberto.open-lab.com/2010/03/04/a-html-sanitizer-for-c/
Jeff Atwoods code is here
Also see this SO post
Related
I've a Web API project which is consumed by an MVC project. The MVC project has a fair amount of user inputs which are displayed as output on the web page.
Now, I want to protect my site from XSS attacks. I've read about Microsoft's AntiXss library, input validations, output filtering etc. But my question is, How do I apply this to my project. Where to put input validations, how to filter my output, how do i sanitize user data, do I need to sanitize the data in APIs also or just in MVC before I send it to the APIs, and if yes, then how, where to use AntiXss library, in MVC or in web API, and how etc.
The answer depends on how exactly user input makes its way into the page DOM in the browser.
If the MVC application generates cshtml pages (with Razor), you need to implement output encoding there, in cshtml files. Note that AntiXSS as a separate library is now deprecated, it's now in the System.Web.Security.AntiXss namespace by default. You need to encode all output according to the context that they get written into (most importantly, you need to encode any input that's written in a Javascript context, be it a script tag, an event attribute like onclick, the first character of a href for an a tag, etc). For plain html output (text between tags) Razor already provides html encoding by default, so it's ok to just do <div>#myVar</div>.
If your frontend consumes something like a JSON API, then you probably have some kind of a client side template engine (Knockout, etc). In that case, it's reasonably safe to send data as received from the user back to the client with an application/json content type (that's actually very important). Then you have to carefully select binding methods to always bind user input as text and not as html to the page elements. This practically means things like using Knockout's text binding instead of html or using jQuery's .text() method instead of .html(), etc.
Please note that a full tutorial on XSS prevention would be way longer than an answer here, so this answer only highlights some high level things and the general way this should be done to prevent XSS.
using data source we can show the data in web page. but i want that there is radio button with all rows and after accessing the radio button the given functionality works?
how to do it please explain?
you need to be more clear with your question - if you already have some code then post it and then ask the how your code needs to do something specific
since the comment was amended
in ItemDataBound event
do something like (e.FindControl("controlname") as RadioButton).SelectedValue
im not quite sure if its c# or vb that you are writing in so cant be more specific at this time
Based on your comment in the other answer I understand that you're actually using WebForms server controls with Asp.net MVC application.
Avoid mixing an matching Asp.net MVC with WebForms
Unless you're skilled in both platforms I suggest you avoid this. It will only bring you headaches in the long run. Displaying and consuming checkboxes/radiobuttons (or any List<T>) should be done differently in MVC. Check this questions (and answer) out that will help you out and show you how this can be done in pure MVC way.
It also explains what things to take care when you dynamically add these items on the client side using Javascript.
i recently was working on an ASP.NET MVC site that basically serves static html and uses ajax gets to return data to the page when inputs are changed. there is actually no posting or getting from an html input tag on the pages at all. (it is a specific style of site that is not used by the general public, so having compatibility problems for people without javascript is not an issue)
after designing the site, i realised that i hadn't even included any form tags. as the site does not use any direct posts or gets, and apart from it being just good html design, i wondered, in my particular situation, if there was any point to having any form tags on the page?
As ASP.NET MVC tries to differ from Web Forms, to introduce a new approach in designing web applications. They do not require forms. In fact i think it's better not to be used for navigation, submitting data, etc. Otherwise, there is no use of the MVC pattern if you still do it "the good old ASP.NET" way.
Of course ... I'm sure there are good reason forms to be used in proper places, but not as a general concept in your design.
You can read here: http://msdn.microsoft.com/en-us/magazine/cc337884.aspx how MVC was introduced in the beginning. "ASP.NET MVC - Building Web Apps without Web Forms" by Chris Tavares
Retaining a form is useful if you need your application to degrade gracefully if JavaScript is disabled or the likes. Also, jQuery and Prototype have nice Ajax helpers for serializing inputs using a form, which is really nice when you have multiple sets of data that could be submitted to different ajax endpoints from one page.
So I guess the answer to my question is no.
If I have a search box on my page I clearly do not want the user to input any code that may be dangerous.
However, I have a lot of data entry pages and each one needs to have ValidateInput(false) on the controllers.
I don't want to allow dangerous input, but I also don't want to handle this in each and every controller.
Is there a way that the default, and ugly, error .Net error message can be overwritten, or is there a uniform way of handling this across controllers.
EDIT
I think maybe I didn't ask the question correctly.
For every data entry page I have I have to turn of Input Validation. This becomes somewhat boring and cumbersome. Each time I accept input I need to HTMLEncode and then HTMLDecode later.
Is there a way to do this in one central place and automatically?
About output:
Here's an interesting post.
And another one from Steve Sanderson.
I just read that post some time ago - haven't tried myself.
Give some feedback how it turns out.
About input:
you could try to mess around with model binder and HtmlEncode values it takes.
ASP.NET and MVC don't allow HTML submissions by default. You have to actively enable this. See the ValidateInputAttribute for more information.
Also, even more important than not allowing HTML input is not displaying user submitted HTML when you create output. That's why all of the default generated views use Html.Encode, and why you should, too.
Update in response to edited question
Yes, it's possible (though probably not advisable) to turn off ValidateInput globally. Make a parent controller type, and put
[ValidateInput(false)]
...on the class.
Also, I don't recommend encoding input. If you allow users to input HTML, I'd store that as-is. Your web app might not be the only thing which queries your DB! In terms of filtering out "dangerous" HTML, that's extraordinarily difficult. I'd use a tested, third-party sanitization library.
Now that RC1 is out I need to decide once and for all whether to use MS Ajax libraries or just jQuery for AJAX requests. The application is a new application. Essentially the way I'll decide is whether or not i get any significant benefit from the Microsoft libraries that I wouldn't get from jQuery. I already HAVE jQuery loading and I am concerned about the extra overhead of file size more than anything.
As far as I'm aware -- the only benefit really is that there are helpers like Ajax.BeginForm, but perhaps these will work with jQuery at some point anyway? I was also told today by a government employee friend of mine that MS Ajax library has a LOT of bugs in it - which concerns me.
With Microsoft now having officially befriended jQuery I wouldn't be too worried about them doing anything in future to leave jQuery in the dust by enhancing their own libraries.
I really don't know a whole lot about exactly what MS Ajax actually does for me. Are there certain pros and cons. Or is it just 90% bloat to support 'update panel' ?
I also find it very interesting that the ASP.NET MVC in Action book just skips over the MS Ajax libraries and jumps straight into jQuery :
In this chapter the reader will
examine how the ajax technique is
applied to ASP.NET MVC in a more
seamless way than with Web Forms. The
reader will see how to leverage an
increasingly popular, lightweight
javascript library called jQuery.
(from free sample chapter on AJAX)
Would very much appreciate hearing from anyone about their experiences workin with both, expecially on the following additional questions :
is it easy to convert code between the two libraries - assuming relatively simple ajax requirements ?
is debugging notably better or faster in either library
anybody know how ASP.NET 4.0 is progressing and any announced plans for the AJAX library that might be beneficial to MVC?
what in a nutshell could MS AJAX do for an MVC app beyond sending requests and sticking the response in a DIV?
how do i do the equivalent of Ajax.BeginForm(...) and use jQuery ?
what was your deal killer one way or the other?
what are most people out there using?
Personally, I would stick with JQuery. MS AJAX is pretty heavyweight in terms of size and you can do so much with JQuery. As far as whether it is easy to convert code, well it depends on how much of the MS AJAX stuff you are using. I don't think there is really much appreciable difference in debugging from one to the other. You will have a larger community of JQuery users from which to pull resources.
You can (and I do) use both depending on the need. When I want a particular form to be non-javascript friendly AND I'm generating content on the server, I'll use MS AJAX via the AjaxHelper. It builds everything I need on the client side to handle the non-javascript enabled browser. I only need to detect AJAX/non-AJAX in the controller and return a partial or a full view depending. If I need to use AJAX as part of a plugin (say autocomplete), then I'll use jQuery. The point is I use the tool that best suited (easiest to implement) for me. Granted, most of my apps run on an intranet so I'm much less concerned about the size of the downloads.
I also found the jQuery announcement about MS incorporating the library
Apparently :
Additionally Microsoft will be
developing additional controls, or
widgets, to run on top of jQuery that
will be easily deployable within your
.NET applications. jQuery helpers will
also be included in the server-side
portion of .NET development (in
addition to the existing helpers)
providing complementary functions to
existing ASP.NET AJAX capabilities.
So I'm thinking its quite probable that they'll end up having jQuery helpers that exactly mirror the AJAX helpers for the MS stuff.
I guess solution I'll take is to use Html.BeginForm, and then intercept the submit button to use jQuery. I'm not especially worried about people without javascript losing functionality, but its not that much harder to do so I may as well.
JQuery is much easier to code than Ajax allot of the problems with overhead can be remedied by adding more memory rather than by stream lining code. Ajax just does not make any sense to me although I'm just a beginner at it. After dealing with the overly criptic Ajax syntax, jQuery is like a breath of freash air.
Well there is one thing that I found with MS Ajax framework that cannot be done elegantly with jQuery. User controls build MS Ajax are very object oriented. This cannot be easily done with jQuery. For example, lets assume you are building a "address" user control, that will have address1, address2, city, state, zipcode and country. You can build this control with jQuery and Ajax but the benefit that's provided by Ajax library is that it will compartmentalize the address control. You can define a function "reset()" on that control that would reset the contents of address control. Lets say that you want "reset()" to set address1, address2, City to Empty string but State to "AL" and Country to USA. You define the code for Ajax control in (.js) file and that function will be associated with your address control. Same is not possible with jQuery. Any function you define will be global in scope and there is no easy way to tie that function Address control. You can very well call the "reset" function on textbox control on the form!!!
So if you want to create a pure object oriented user controls then i guess better choice is using MS Ajax framework.